Re: CodeRed

From: Ryan Russell (ryanat_private)
Date: Thu Jul 19 2001 - 20:50:53 PDT

  • Next message: Fulton L. Preston Jr.: "RE: CodeRed"

    Yes, responding to my own post, I know (actually, I left incidents on the
    post below by mistake...)
    
    As several people have pointed out, the person who made the 1.17M claim
    later revised it to "only" about 200K or so.  And that's just him.  I have
    no real difficulty believing that we've in the 100's of thousands
    neighborhood at this point.
    
    This is the most "successful" worm I've ever seen.  Parts of the code are
    damn clever as well (take a real close look at how it "hacks" the web
    pages.)
    
    The worm would also be dead simply to modify, as well.  All that you would
    need for simple mods is a hex editor.  I'm pretty sure we'll see copycats
    in the next few days.
    
    Things could get pretty bad in the short term.
    
    					Ryan
    
    On Thu, 19 Jul 2001, Ryan Russell wrote:
    
    > I'm a bit stunned at the moment by a note to Bugtraq from a guy at LBL who
    > claims that 1.17 Million different IP addresses have tried his address
    > space, meaning that at least that many different IIS boxes have been
    > nailed.  I'm rather amazed.
    >
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 23:39:05 PDT